The field of the invention relates to digital signatures, and particularly, using digital signatures to reliably identify a sender and the accuracy of an electronic message without using certification authorities.
The increase in electronic commerce has increased the focus on security of the electronic transactions using this medium of commerce. In the world of computer transactions and electronic contracts, there is no face-to-face acknowledgement to identify the consumer or other person wishing to perform the transaction. As institutions become more reliant on computers, they have modified their business infrastructure (i.e., their xe2x80x9cbusiness processxe2x80x9d) in an attempt to keep up with electronic commerce. The business process of an institution includes the methods used to interact with a customer (e.g., how transactions occur, what information is required from the customer, help desks to support the customer), the information contained in customer accounts, the databases used and how they are modified by the institution, and personnel training.
Institutions and persons desiring to utilize electronic commerce are faced with several issues regarding electronic transactions. The first issue is whether the person requesting the transaction is who they say they are (xe2x80x9cidentificationxe2x80x9d). And the second issue is whether the requested transaction is actually the transaction intended to be requested (xe2x80x9caccuracyxe2x80x9d). In other words, whether the requested transaction has been compromised, either fraudulently or through transmission errors, during the course of transmitting and receiving the request.
To address the identity of the person requesting the transaction, current financial business processes bind information in accounts to authenticate non-face-to-face transactions. For example, an account holder""s mother""s maiden name, a personal identification number (PIN), and a social security number have all been used and integrated into the current financial infrastructure to aid in reliably identifying someone requesting a non-face-to-face transaction.
To address the accuracy of the electronic message being sent and the identity of the person sending the electronic message, digital signatures are utilized. Digital signatures are used with electronic messages and provide a way for the sender of the message to electronically xe2x80x9csignxe2x80x9d the message as a way of providing proof of the identity of the sender and the accuracy of the message. In a digital signature system, a sender digitally xe2x80x9csignsxe2x80x9d the message using a private key (encryption software used to create a digital signature). The receiver validates the senders digital signature by using the sender""s public key (software used to decrypt the digital signature) sent to the receiver by the sender.
While, digital signatures provide some assuarance accuracy to the message and the identity of the sender, they are also subject to security risks. These risks include compromised private and public keys or merchant fraud. To address the security risks and validate the digital signatures, computer technology has developed xe2x80x9ccertification authoritiesxe2x80x9d to be used in a Certificate Authority Digital Signature system (CADS). In a CADS system, certification authorities are third parties that essentially xe2x80x9cvouchxe2x80x9d for the validity of a digital signature""s public key and, hence, the validity of the digital signature.
However, certification authorities used in the CADS system come with the inherent risk, such a expired certification authority and compromised private keys which affect the entire public key infrastructure. In addition, the increased reliability provided by certification authorities do not easily combine with the business process currently established.
Therefore, there is a need in the art is a method to increase the reliability of electronic transactions while not imposing significant modifications on the business processes already in place.
The present invention meets the needs described above by providing a method of reliably identifying the sender of an electronic message and determining the accuracy of an electronic message while utilizing the current standard business processes.
The current financial infrastructure can extend existing business processes to support high integrity electronic commerce by implementing the present invention. One embodiment of the present invention can be implemented as the Account Authority Digital Signature (AADS) system. The AADS system uses digital signatures along with validation procedures that can be implemented within current institutional business processes to identify a sender of an electronic message and determine the accuracy of the electronic message being sent.
The present invention simplifies its implementation by leveraging existing account infrastructures and by operating within existing business processes. In addition, the present invention utilizes electronic signatures in the business process for increased reliability. Yet, however, the present invention does not rely on third parties (i.e., certification authorities) for authorization, thereby avoiding any security risks or other systemic risks associated with the third parties. And finally, no new databases need to be developed to implement the present invention. Generally described, the identity of a sender of an electronic message is validated by using sender validation information along with other sender identity information stored at an institution""s or person""s computer system and applying the sender validation information to the encoding information received by the computer system. The sender validation information may be the sender""s public key in a digital signature system.
The present invention utilizes the accuracy of electronic encoding, e.g., digital signatures, and provides a method to incorporate them into the current business processes. An institution records an encoding key and associates it with account information from the sender. This initial recording may be performed using any of the validation procedures utilized today by a business institution, for example, when the sender is opening an account and must show proof of identity.
After the initial validation of the encoding key, validating future electronic transactions occur by including encoding information that can be deciphered using the valid encoding key initially stored. To validate an electronic transaction, the sender sends the electronic transaction message, the encoding information and sender identity information to the person or institution from which the sender desires validation. Having received this information, the computer system automatically retrieves the encoding information stored in the computer system that is associated with the sender identity information. The computer system then validates the electronic transaction message by applying the retrieved encoding key to the encoding information and analyzes the electronic transaction message to validate the identity of the sender and the accuracy of the message.
This validation may be performed in a digital signature system by applying a hashing algorithm to the electronic message and comparing the results to the results of applying the public key to the digital signature received.
The encoding information may be entered into a terminal via of a smart card or via another computer system. The encoding information, electronic message and sender identity information may be sent to the computer system performing the validation via a closed network or via an open network, such as the Internet.
These and other advantages of the present invention may be more clearly understood and appreciated from a review of the following detailed description of the disclosed embodiments and by reference to the appended drawings and claims.